COMP 324 : INFORMATION SYSTEMS SECURITY

Course Content
Key concepts in Information Security. Information Security in Networked Enterprises. Threats and
vulnerabilities analysis. Effective System Administration. Policies. Risk management. ICT Security
planning. Operational issues in ICT security (incident handling, training, backups etc). Physical
security. Personnel issues. Types and uses of security devices. Business Continuity and Disaster
Recovery Planning. Network Security; (identification and authentication, logical access control,
Routers, Proxies, and Firewalls audit trails). Security Across Different Operating Systems and
Platforms. Detection of security breaches.
Assessment
Continuous Assessment Tests (CATs): 40%
End of Semester Written Examinations: 60%

Learning Materials

Information Systems Security Handbook -Isaca

1
LECTURE 1
Key concepts in Information Security
Information security is the practice of defending information from unauthorized access, use,
disclosure, disruption, modification, perusal, inspection, recording or destruction.
It is also defined as preservation of confidentiality, integrity and availability of information. Other
properties, such as authenticity, accountability, non-repudiation and reliability can also be involved.
Two major aspects of information security are:
● IT security: (Also computer security), It is responsible for keeping all of the technology within
the company secure from malicious cyber attacks that often attempt to breach into critical
private information or gain control of the internal systems.
● Information assurance: The act of ensuring that data is not lost when critical issues arise.
These issues include: natural disasters, computer/server malfunction, physical theft, or any
other instance where data has the potential of being lost.

Basic principles
Confidentiality
Is a set of rules or a promise that limits access or places restrictions on certain types of information.
Confidentiality refers to limiting information access and disclosure to authorized users -- "the right
people" -- and preventing access by or disclosure to unauthorized ones -- "the wrong people."
Authentication methods like user-IDs and passwords, that uniquely identify data systems' users and
control access to data systems' resources, underpin the goal of confidentiality.

Integrity
● Data integrity means maintaining and assuring the accuracy and consistency of data over its
entire life-cycle.
● Data cannot be modified in an unauthorized or undetected manner.
● Integrity is violated when a message is actively modified in transit.

Availability
This means that the computing systems used to store and process the information, the security
controls used to protect it, and the communication channels used to access it must be functioning
correctly.
● High availability systems aim to remain available at all times, preventing service disruptions due
to power outages, hardware failures, and system upgrades.
● Ensuring availability involves preventing denial-of-service attacks, such as a flood of incoming
messages to the target system essentially forcing it to shut down.

Non-repudiation
It implies that one party of a transaction cannot deny having received a transaction nor can the
other party deny having sent a transaction.
Why is security difficult?
● Data is handled by many people.
● Data networks cover large geographical areas
● There are many threats to information systems
● It is difficult to learn through experience
● It is not possible to measure cost benefit analysis
● Policies are difficult to implement as many people see security as a nuisance / causing
2
 inconvenience.

Common Terms
● Risk is the likelihood that something bad will happen that causes harm to an informational
asset (or the loss of the asset).
● Vulnerability is a weakness that could be used to endanger or cause harm to an
informational asset.
● A threat is anything (manmade or act of nature) that has the potential to cause harm.
● The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a
threat does use a vulnerability to inflict harm, it has an impact
● Impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost
income, loss of life, loss of real property). It should be pointed out that it is not possible to
identify all risks, nor is it possible to eliminate all risk. The remaining risk is called "residual
risk".
● A risk assessment is carried out by a team of people who have knowledge of specific areas
of the business.

The risks in information systems

● Physical loss of data. You may lose immediate access to your data for reasons ranging
from floods to loss of electric power. You may also lose access to your data for more subtle
reasons: the second disk failure, for example, while your RAID array recovers from the first.
● Unauthorized access to your own data and client or customer data. Remember, if you have
confidential information from clients or customers, you’re often contractually obliged to
protect that data as if it were your own.
● Interception of data in transit. Risks include data transmitted between company sites, or
between the company and employees, partners, and contractors at home or other locations.
● Your data in someone else’s hands. Do you share your data with third parties, including
contractors, partners, or your sales channel? What protects your data while it is in their
hands?
● Data corruption. Intentional corruption might modify data so that it favors an external
party: think Trojan horses or keystroke loggers on PCs. Unintentional corruption might be
due to a software error that overwrites valid data.
● Email Interception
● Email Spoofing
● Web Data Interception
● Network & Volume Invasion
● Marketing Data / Spam & Junk Mail
● Viruses, Worms, Trojan Horses
● Password Cracking
● Mail bomb
● Denial of Service (DoS)
● Piracy of Intellectual Property

Exercise
What are the elements of a good security program?
Why is it difficult to secure information systems?
3
Information Security in Networked Enterprises
Your typical security engineer may say it must have firewalls, intrusion detection or any number of
security focused technologies.
Meanwhile a security tester may suggest that it is conducting penetration testing to provide
assurances that security widgets are working well.

Information security is about adopting the right measures and controls for a given entity at a given
point in time. Threats change and vulnerabilities are introduced or removed, demanding that security
evolves simply to keep pace.

1: Appointing a security officer

Every organization should assign a security officer even if the role is given to an individual who wears
multiple hats. Larger organizations may establish a dedicated position - the chief security officer who
presides over a team of specialists addressing the different areas of information security.
The security officer is the central point for managing proactive and reactive information security
tasks. The day to day activities for the individual resources that work in the domain will depend on
the size and focus of an organization but ultimately the security officer role should be accountable
for the following:
● Strategy -- identifying the security posture an organisation wishes to maintain and how this will
be achieved.
● Operations -- monitoring of security alerts and management of security assets, for example
intrusion detection, jump hosts, firewalls and scanning tools.
● Architecture -- ensuring security is designed into the businesses technology and processes.
● Consultation -- providing consultation to projects or business units by way of requirements,
reviews, recommendations and risk assessment.
● Bottom of Form
● Analysis -- researching products or specific technical issues to assist in provisioning of
technology or remediation of vulnerabilities.
● Testing -- providing security testing such as penetration testing for projects and rolling
assurance exercises.
● Emergency Response -- responding to emergency security incidents such as the compromise of
information assets or the loss of service through a denial of service attack.
● Programme manager -- acting as the business sponsor for a rolling security programme of work.

2: Security reporting
Reporting provides a "heartbeat" for information security across an organisation. It ensures the right
people remain up to date on the latest incidents, threats and initiatives that will influence the security
posture.
Regular reporting ensures those that are accountable for securing information assets are aware of
the risks they may have inherited and the rigour in the controls that protect them.
Security reports must be written for their audience and this is an area where security professionals
often fall down.
The content must be accurate but presented at a level that can be consumed by the target audience.
Reports destined for technologists with an appreciation of the hands on should be literal and explain
any vulnerabilities and controls in technical terms.
Those intended for managers with a technical background should be explained conceptually and
4
include references to technical detail that supports any conclusions.
Those intended for parties outside the technology group such as the CEO or chief risk officer should
wholly focus on the business impact where the conclusions are justified by a well-designed and
established.

3: Develop governance
For an organisation to maintain a consistent security posture people within that organisation must
have clear instructions that tells them how to behave. Governance ensures that people are aware
how they should conduct themselves and if well constructed encourages them to behave in a way
that maintains or may even improve security. There are useful standards such as those produced by
International Standards Organisation, National Institute for Standards and Technology and the
Government Communications .

4: Develop a security incident management plan

Every organisation will experience a security incident. The impact of that incident and the likelihood
of it repeating is directly impacted by how an organisation manages it.
● Was the incident clearly identified, validated and contained?
● Was the vulnerability that led to it identified and is there a plan to remediate or apply additional
countermeasures?
● Was the incident reported to an appropriate authority inside the organisation and do any
external parties need to be notified?
These are but a few questions that are answered through a well formed security incident
management plan.
The plan should identify a front door for people reporting potential incidents. From there it should
define an auditable process that validates the incident and initiates a response team well placed to
deal with it. The owner of the plan is the security officer who remains a central part of the response
team.
The plan will dictate how the incidents progress is recorded and what if any information is disclosed
to a wider audience. Typically it will empower the response team to operate outside governance,
bypassing change control and other processes that are designed for business as usual rather than
an unforeseen emergency.

5: Initiate a security programme of work

Security initiatives require a vehicle to carry them through design, build and implementation.
Grouping them all in a single program of work allows for budgets to be managed more easily and
ensures the investment in information security is transparent. Upgrades of security devices such as
firewalls and antivirus may be included in the programme, as well as any capital investment in
information security, such as an identity and access management system.
The security programme should be primarily focussed on enhancing information security and be
funded at a level that an organisation considers appropriate. The security officer should have a list of
initiatives in order of priority and the allocated budget should fund those at the top of the list.

6: Assess the security of all initiatives

An unfortunately common observation is that organisations invest heavily in security controls in one
area but due to budgetary constraints ignore others. For example the website may have extensive
technical controls and receive frequent security testing while the "trusted" third party connections are
left unchecked. Often this is due to incorrect assumptions being made by the business on what the
5
security implications of an action are.
A security assessment should be focused on empowering the business to decide whether an
initiative should progress, change direction, be reviewed at a more detailed level or in the most severe
cases be halted.

7: Complete period-based assurance tasks

While assessing the security of all initiatives is a proactive way of ensuring security is built in, it is also
important to be reactive. With the best intent and design, it is possible for vulnerabilities to be
introduced into a technical environment through human error or as the result of an aggregation of
technical anomalies. Completing periodic assurance tasks is intended to identify and manage
vulnerabilities that may not have been foreseen.
One of the most commonly practiced assurance measures is penetration testing. It provides a high
level of assurance that the tested technology would be resistant to a targeted attack by an skilled
attacker. It is however relatively expensive and often tightly scoped. Given the specialized nature of
security testing it could be worth considering using a third party security practitioner. A practitioner
can ensure that the scope is appropriate and that the tester is reputable.

8: Provide security training

Security training is a widely recognised requirement for a mature organisation; but all too often the
bare minimum is provided, such as an induction session which ensures everyone knows they
shouldn't write their password down.
Induction training is a great idea but beyond making people aware of the security policy, it should be
different for different roles. Members of the executive face different threats and employ different
countermeasures to those holding a position on the help-desk. The former will likely require a one on
one sessions while the later may be inducted as part of a group.
While security training may seem expensive, it is probably one of the best returns on investment for
an organisation. Guarding against one phishing attempt may be the difference between winning the
next big contract or recovering from an embarrassing information leak.

9: Develop a whistleblower process

Securing an organisation is not limited to the practices of security specialists. It includes everyone
from those cleaning the office (often with unparalleled access) to those on the board. It includes
partner organisations and their staff and their partners and so the list goes on. Along with
supporting (or opposing) security controls, staff and third party affiliates are a useful source of
information about security events. They may observe vulnerabilities or even be aware of
vulnerabilities being exploited. This information is extremely valuable and should be captured and
processed to aid in improving ones security posture.
Reporting of shortcomings is not always something that a hierarchy does particularly well. There is
little incentive for a middle manager to report a shortcoming in an area he/she is responsible for. It
may lead to embarrassment or additional work and for these reasons potential risks can be swept
under the rug. A solution is to develop a whistleblower process which allows anyone to report a
perceived security issue to an information security authority in confidence; without fear of
repercussions.

10: Consider security functionally

A challenge that faces many organizations’ is the apparent power that security practitioners require
to do their job. They often have super user rights on a system to provide oversight or control access
6
and they often report to senior management even though they aren't necessarily executive level
managers themselves. Security is a functional requirement rather than a hierarchical one.
In designing security roles and responsibilities the function of that role must be considered as a
focus on hierarchy will weaken an organization’s ability manage information security well. It can
mean the removal of critical information flows as security reports are summarized into something
more general. It can risk unnecessary spending on security products to imply progress in the
absence of consultation to the right level.
NB
In order for each of these items to be effective they must involve an experienced security practitioner
and such people aren't that easy to find.
Engineers can build the firewalls and testers can break them but in the first instance someone is
required who can decide whether the firewall is required or not.

CAT 1

a) What is a honeypot? Give advantages of honeypots. [5 MKS]

b) Explain any five tools/ products you would use in monitoring network security. [5 MKS]
c) How do you fight hackers in a network? [5 MKS]
d) Explain how stack and buffer overflow is a threat to operating systems. [5 MKS]

7
LECTURE 2 – RISK ANALYSIS

Threat/Vulnerability Assessments and Risk Analysis

All facilities face a certain level of risk associated with various threats. These threats may be the result of
natural events, accidents, or intentional acts to cause harm. Regardless of the nature of the threat, facility
owners have a responsibility to limit or manage risks from these threats to the extent possible.

Threat Assessment
The first step in a risk management program is a threat assessment. A threat assessment considers the full
spectrum of threats (i.e., natural, criminal, terrorist, accidental, etc.) for a given facility/location.
The assessment should examine supporting information to evaluate the likelihood of occurrence for each
threat. For natural threats, historical data concerning frequency of occurrence for given natural disasters
such as tornadoes, hurricanes, floods, fire, or earthquakes can be used to determine the credibility of the
given threat.

Vulnerability Assessment
Once the credible threats are identified, a vulnerability assessment must be performed. The vulnerability
assessment considers the potential impact of loss from a successful attack as well as the vulnerability of
the facility/location to an attack. Impact of loss is the degree to which the mission of the agency is impaired
by a successful attack from the given threat. A sample set of definitions for impact of loss is provided
below. These definitions are for an organization that generates revenue by serving the public.
● Devastating: The facility is damaged/contaminated beyond habitable use. Most items/assets are
lost, destroyed, or damaged beyond repair/restoration. The number of visitors to other facilities in
the organization may be reduced by up to 75% for a limited period of time.
● Severe: The facility is partially damaged/contaminated. Examples include partial structure breach
resulting in weather/water, smoke, impact, or fire damage to some areas. Some items/assets in the
facility are damaged beyond repair, but the facility remains mostly intact. The entire facility may be
closed for a period of up to two weeks and a portion of the facility may be closed for an extended
period of time (more than one month). Some assets may need to be moved to remote locations to
protect them from environmental damage. The number of visitors to the facility and others in the
organization may be reduced by up to 50% for a limited period of time.
● Noticeable: The facility is temporarily closed or unable to operate, but can continue without an
interruption of more than one day. A limited number of assets may be damaged, but the majority of
the facility is not affected. The number of visitors to the facility and others in the organization may
be reduced by up to 25% for a limited period of time.
● Minor: The facility experiences no significant impact on operations (downtime is less than four
hours) and there is no loss of major assets.
Vulnerability is defined to be a combination of the attractiveness of a facility as a target and the level of
deterrence and/or defense provided by the existing countermeasures. Target attractiveness is a measure of
the asset or facility in the eyes of an aggressor and is influenced by the function and/or symbolic
importance of the facility. Sample definitions for vulnerability ratings are as follows:
● Very High: This is a high profile facility that provides a very attractive target for potential
adversaries, and the level of deterrence and/or defense provided by the existing countermeasures is
inadequate.

1
 ● High: This is a high profile regional facility or a moderate profile national facility that provides an
attractive target and/or the level of deterrence and/or defense provided by the existing
countermeasures is inadequate.
● Moderate: This is a moderate profile facility (not well known outside the local area or region) that
provides a potential target and/or the level of deterrence and/or defense provided by the existing
countermeasures is marginally adequate.
● Low: This is not a high profile facility and provides a possible target and/or the level of deterrence
and/or defense provided by the existing countermeasures is adequate.

RISK MANAGEMENT
Risk Analysis is a process of evaluating the probability of hazardous events
Risk: is a quantified measure of the likelihood of a threat being realised.
● The strength of an information infrastructure depends on how well information resources are
managed--what, how, where, and for whom sources of information are established and made
available for reuse
● To say Risk Analysis is an important issue is an understatement. It is difficult to quantify the losses
suffered each year by businesses arising from the use and misuse of Information Systems (IS)
IS risk analysis is the process of:
● identifying potential causes of loss;
● designing and implementing controls to prevent them, and, should these fail;
● Designing and implementing controls to detect any occurrences and to minimize their effect.
Risk Analysis involves the identification and assessment of the levels of risk, calculated from the
● Values of assets
● Threats to the assets
● Their vulnerabilities and likelihood of exploitation
Risk Management involves the identification, selection and adoption of security measures justified by
◦ The identified risks to assets
◦ The reduction of these risks to acceptable levels

Risk Analysis and Management

An agreed upon framework is:-

To asses risk:-
● use a risk matrix to evaluate threat & counter-measure

2
 ● use a risk management model to manage threat
Responses to Risk
You respond to a risk by either:-
● Avoid it completely by withdrawing from an activity
● Accept it and do nothing
● Reduce it with security measures
● Transfer – Involves a third-party liability taking/ insurance.

DESIGNING RISK ANALYSIS

When designing a risk analysis for information systems, the following components can be considered:
● People--the information users and producers who direct, prioritize, interpret, and apply data and
information to policy problems
● Documents, databases, and other information entities that hold information and data collections
● Information processes such as collection, storage, retrieval, dissemination, communication, and
display
● Information technologies--the know-how for manipulating and accessing information, including
the conceptual, statistical, and model-building structures that aggregate and process data and
produce information content, as well as mechanisms, people, and/or systems that provide
intellectual, physical, and economical access to information

Security Models
A security policy is a document that expresses clearly and concisely what the protection
mechanisms are to achieve.
A security model is a specification of a security policy:
● it describes the entities governed by the policy,
● It states the rules that constitute the policy.
There are various types of security models:
● Models can capture policies for confidentiality (Bell-LaPadula) or for integrity (Biba, Clark-Wilson).
● Some models apply to environments with static policies (Bell-LaPadula), others consider dynamic
changes of access rights (Chinese Wall).
● Security models can be informal (Clark-Wilson), semi-formal, or formal (Bell-LaPadula, Harrison-
Ruzzo-Ullman).
3
Model vs Policy
● A security model maps the abstract goals of the policy to information system terms by specifying
explicit data structures and techniques that are necessary to enforce the security policy. A security
model is usually represented in mathematics and analytical ideas, which are then mapped to system
specifications, and then developed by programmers through programming code
● For Example, if a security policy states that subjects need to be authorized to access objects, the
security model would provide the mathematical relationships and formulas explaining how x can
access y only through the outlined specific methods
● A security policy outlines goals without regard to how they will be accomplished. A model is a
framework that gives the policy form and solves security access problems for particular situations.
Note

SECURITY DESIGN PRINCIPLES

Security is a system requirement just like performance, capability, cost, etc. Therefore, it may be necessary
to trade off certain security requirements to gain others.

Principles of Secure Design

● Design security in from the start
● Allow for future security enhancements
● Minimize and isolate security controls
● Employ least privilege
● Structure the security relevant features
● Make security friendly
● Don’t depend on secrecy for security
● Economy of mechanism- Should be sufficiently small and as simple as to be verified and
implemented – e.g., security kernel. Complex mechanisms should be correctly Understood, Modeled,
Configured, Implemented and Used
● Complete mediation- Every access to every object must be checked
● Psychological acceptability- User interface must be easy to use, so that users routinely and
automatically apply the mechanisms correctly. Otherwise, they will be bypassed
● Fail-safe defaults- Should be lack of access
● Secure the weakest link
● Compartmentalize- Minimize the amount of damage that can be done by breaking the system into
units
● Use your community resources- Public scrutiny promotes trust

CONTROLS
Security controls are safeguards or countermeasures to avoid, counteract or minimize security
risks relating to personal property, or any company property.
The control environment sets the tone of an organization, influencing the control consciousness of its
people. It is the foundation for all other components of internal control, providing discipline and structure.

4
Control environment factors include the integrity, ethical values, and competence of the entity’s people;
management’s philosophy and operating style; and the way management assigns authority and organizes
and develops its people
Activity phase controls can be classified as follows:
• Preventative controls exist to prevent the threat from coming in contact with the weakness.
• Detective controls exist to identify that the threat has landed in our systems.
• Corrective controls exist to mitigate or lessen the effects of the threat being manifested.

Organizational Controls
Organizational controls are procedures and processes that define how people in the organization should
perform their duties.
Preventative controls in this category include:
● Clear roles and responsibilities. These must be clearly defined and documented so that
management and staff clearly understand who is responsible for ensuring that an appropriate level
of security is implemented for the most important IT assets.
● Separation of duties and least privileges. When properly implemented, these ensure that people
have only enough access to IT systems to effectively perform their job duties and no more.
● Documented security plans and procedures. These are developed to explain how controls have
been implemented and how they are to be maintained.
● Security training and ongoing awareness campaigns. This is necessary for all members of the
organization so that users and members of the IT team understand their responsibilities and how to
properly utilize the computing resources while protecting the organization's data.
● Systems and processes for provisioning and de-provisioning users. These controls are necessary
so that new members of the organization are able to become productive quickly, while leaving
personnel lose access immediately upon departure. Processes for provisioning should also include
employee transfers from groups within the company where privileges and access change from one
level to another.
● Established processes for granting access to contractors, vendors, partners, and customers. This
is often a variation on user provisioning, mentioned previously, but in many cases it is very distinct.
Sharing some data with one group of external users while sharing a different collection of data with
a different group can be challenging. Legal and regulatory requirements often impact the choices,
for example when health or financial data is involved.
Detection controls in this category include:
● Performing continuing risk management programs to assess and control risks to the
organization's key assets.
● Executing recurrent reviews of controls to verify the controls' efficacy.
● Periodic undertaking of system audits to ensure that systems have not been compromised or
misconfigured.
● Performing background investigations of prospective candidates for employment; You should
contemplate implementing additional background investigations for employees when they are being
considered for promotions to positions with a significantly higher level of access to the
organization's IT assets.
● Establishing a rotation of duties, this is an effective way to uncover notorious activities by
members of the IT team or users with access to sensitive information.
Management controls in this category include:
● Incident response planning, which provides an organization with the ability to quickly react to and
recover from security violations while minimizing their impact and preventing the spread of the
incident to other systems.

5
 ● Business continuity planning, which enables an organization to recover from catastrophic events
that impact a large fraction of the IT infrastructure.
Operational Controls
Operational controls define how people in the organization should handle data, software and hardware.
They also include environmental and physical protections as described below.
Preventative controls in this category include:
● Protection of computing facilities by physical means such as guards, electronic badges and locks,
biometric locks, and fences.
● Physical protection for end-user systems, including devices such as mobile computer locks and
alarms and encryption of files stored on mobile devices.
● Emergency backup power, which can save sensitive electrical systems from harm during power
brownouts and blackouts; they can also ensure that applications and operating systems are shut
down gracefully manner to preserve data and transactions.
● Fire protection systems such as automated fire suppression systems and fire extinguishers, which
are essential tools for guarding the organization's key assets.
● Temperature and humidity control systems that extend the life of sensitive electrical equipment
and help to protect the data stored on them.
● Media access control and disposal procedures to ensure that only authorized personnel have
access to sensitive information and that media used for storing such data is rendered unreadable
by degaussing or other methods before disposal.
● Backup systems and provisions for offsite backup storage to facilitate the restoration of lost or
corrupted data. In the event of a catastrophic incident, backup media stored offsite makes it
possible to store critical business data on replacement systems.
Detection and recovery controls in this category include:
● Physical security, which shields the organization from attackers attempting to gain access to its
premises; examples include sensors, alarms, cameras, and motion detectors.
● Environmental security, which safeguards the organization from environmental threats such as
floods and fires; examples include smoke and fire detectors, alarms, sensors, and flood detectors.

Technological Controls
Technological controls vary considerably in complexity. They include system architecture design,
engineering, hardware, software, and firmware. They are all of the technological components used to build
an organization's information systems.
Preventative controls in this category include:
● Authentication. The process of validating the credentials of a person, computer, process, or device.
Authentication requires that the person, process, or device making the request provide a credential
that proves it is what or who it says it is. Common forms of credentials are digital signatures, smart
cards, biometric data, and a combination of user names and passwords.
● Authorization. The process of granting a person, computer process, or device access to certain
information, services, or functionality. Authorization is derived from the identity of the person,
computer process, or device requesting access, which is verified through authentication.
● Non-repudiation. The technique used to ensure that someone performing an action on a computer
cannot falsely deny that he or she performed that action. Non-repudiation provides undeniable
proof that a user took a specific action such as transferring money, authorizing a purchase, or
sending a message.
● Access control. The mechanism for limiting access to certain information based on a user's
identity and membership in various predefined groups. Access control can be mandatory,
discretionary, or role-based.

6
 ● Protected communications. These controls use encryption to protect the integrity and
confidentiality of information transmitted over networks.
Detection and recovery controls in this category include:
● Audit systems. Make it possible to monitor and track system behavior that deviates from expected
norms. They are a fundamental tool for detecting, understanding, and recovering from security
breaches.
● Antivirus programs. Designed to detect and respond to malicious software, such as viruses and
worms. Responses may include blocking user access to infected files, cleaning infected files or
systems, or informing the user that an infected program was detected.
● System integrity tools. Make it possible for IT staff to determine whether unauthorized changes
have been made to a system. For example, some system integrity tools calculate a checksum for all
files present on the system's storage volumes and store the information in a database on a separate
computer. Comparisons between a system's current state and its previously-known good
configuration can be completed in a reliable and automated fashion with such a tool.
Management controls in this category include:
● Security administration tools included with many computer operating systems and business
applications as well as security oriented hardware and software products. These tools are needed
in order to effectively maintain, support, and troubleshoot security features in all of these products.
● Cryptography, which is the foundation for many other security controls. The secure creation,
storage, and distribution of cryptographic keys make possible such technologies as virtual private
networks (VPNs), secure user authentication, and encryption of data on various types of storage
media.
● Identification, which supplies the ability to identify unique users and processes. With this
capability, systems can include features such as accountability, discretionary access control, role-
based access control, and mandatory access control.
● Protections inherent in the system, which are features designed into the system to provide
protection of information processed or stored on that system. Safely reusing objects, supporting no-
execute (NX) memory, and process separation all demonstrate system protection features.

Security Risk Management Practices

Comparing Approaches to Risk Management

Many organizations are introduced to security risk management by the necessity of responding to a
relatively small security incident. Whatever the incident, as more and more issues relating to security arise
and begin to impact the business, many organizations get frustrated with responding to one crisis after
another. They want an alternative to this reactive approach, one that seeks to reduce the probability that
security incidents will occur in the first place. Organizations that effectively manage risk evolve toward a
more proactive approach, but this is only part of the solution.

The Reactive Approach

Security incidents may help an organization to predict and prepare for future problems. This means
that an organization that takes time to respond to security incidents in a calm and rational manner while
determining the underlying reasons that allowed the incident to transpire will be better able to both protect
itself from similar problems in the future and respond more quickly to other issues that may arise.
The following six steps help when you are responding to security incidents quickly and efficiently:
1. Protect human life and people's safety. This should always be your first priority. For example, if
affected computers include life support systems, shutting them off may not be an option; perhaps
you could logically isolate the systems on the network by reconfiguring routers and switches

7
without disrupting their ability to help patients.
2. Contain the damage. Containing the harm that the attack caused helps to limit additional damage.
Protect important data, software, and hardware quickly. Minimizing disruption of computing
resources is an important consideration, but keeping systems up during an attack may result in
greater and more widespread problems in the long run. If you determine that there will be no
adverse effects, or that they would be outweighed by the positive benefits of activity, containment
should begin as quickly as possible during a security incident by disconnecting from the network the
systems known to be affected. If you cannot contain the damage by isolating the servers, ensure
that you actively monitor the attacker’s actions in order to be able to remedy the damage as soon as
possible. And in any event, ensure that all log files are saved before shutting off any server.
3. Assess the damage. Immediately make a duplicate of the hard disks in any servers that were
attacked and put those aside for forensic use later. Then assess the damage. You should begin to
determine the extent of the damage that the attack caused as soon as possible, right after you
contain the situation and duplicate the hard disks. This is important so that you can restore the
organization's operations as soon as possible while preserving a copy of the hard disks for
investigative purposes. If it is not possible to assess the damage in a timely manner, you should
implement a contingency plan so that normal business operations and productivity can continue. It
is at this point that organizations may want to engage law enforcement regarding the incident;
however, you should establish and maintain working relationships with law enforcement agencies
that have jurisdiction over your organization's business before an incident occurs so that when a
serious problem arises you know whom to contact and how to work with them. You should also
advise your company’s legal department immediately, so that they can determine whether a civil
lawsuit can be brought against anyone as a result of the damage.
4. Determine the cause of the damage. In order to ascertain the origin of the assault, it is necessary
to understand the resources at which the attack was aimed and what vulnerabilities were exploited
to gain access or disrupt services. Review the system configuration, patch level, system logs, audit
logs, and audit trails on both the systems that were directly affected as well as network devices that
route traffic to them. These reviews often help you to discover where the attack originated in the
system and what other resources were affected. You should conduct this activity on the computer
systems in place and not on the backed up drives created in step 3. Those drives must be preserved
intact for forensic purposes so that law enforcement or your lawyers can use them to trace the
perpetrators of the attack and bring them to justice. If you need to create a backup for testing
purposes to determine the cause of the damage, create a second backup from your original system
and leave the drives created in step 3 unused.
5. Repair the damage. In most cases, it is very important that the damage be repaired as quickly as
possible to restore normal business operations and recover data lost during the attack. The
organization's business continuity plans and procedures should cover the restoration strategy. The
incident response team should also be available to handle the restore and recovery process or to
provide guidance on the process to the responsible team. During recovery, contingency procedures
are executed to limit the spread of the damage and isolate it. Before returning repaired systems to
service be careful that they are not reinfected immediately by ensuring that you have mitigated
whatever vulnerabilities were exploited during the incident.
6. Review response and update policies. After the documentation and recovery phases are complete,
you should review the process thoroughly. Determine with your team the steps that were executed
successfully and what mistakes were made. In almost all cases, you will find that your processes
need to be modified to allow you to handle incidents better in the future. You will inevitably find
weaknesses in your incident response plan. This is the point of this after-the-fact exercise—you are
looking for opportunities for improvement. Any flaws should prompt another round of the incident-

8
 response planning process so that you can handle future incidents more smoothly.
This methodology is illustrated in the following diagram:

The Proactive Approach

Instead of waiting for incidences then respond, you minimize the possibility of the incidences ever occurring
in the first place. You make plans to protect your organization's important assets by implementing controls
that reduce the risk of vulnerabilities being exploited by malicious software, attackers, or accidental misuse.
Each of the security risk management methodologies shares some common high-level procedures:
1. Identify business assets.
2. Determine what damage an attack against an asset could cause to the organization.
3. Identify the security vulnerabilities that the attack could exploit.
4. Determine how to minimize the risk of attack by implementing appropriate controls.

Approaches to Risk Prioritization

There are many different methodologies for prioritizing or assessing risks, but most are based on
one of two approaches or a combination of the two: quantitative risk management or qualitative risk
management.

Quantitative Risk Assessment

In quantitative risk assessments, the goal is to try to calculate objective numeric values for each of
the components gathered during the risk assessment and cost-benefit analysis. Where you estimate the
true value of each business asset in terms of what it would cost to replace it, what it would cost in terms of
lost productivity, what it would cost in terms of brand reputation, and other direct and indirect business
values. You endeavor to use the same objectivity when computing asset exposure, cost of controls, and all
of the other values that you identify during the risk management process.

Weaknesses of this method:-

●There is no formal and rigorous way to effectively calculate values for assets and controls.
●Organizations that have tried to meticulously apply all aspects of quantitative risk management
9
 have found the process to be extremely costly. Such projects usually take a very long time to
complete their first full cycle, and they usually involve a lot of staff members arguing over the
details of how specific fiscal values were calculated.
●For organizations with high value assets, the cost of exposure may be so high that you would
spend an exceedingly large amount of money to mitigate any risks to which you were exposed.
This is not realistic, though; an organization would not spend its entire budget to protect a single
asset, or even its top five assets.

Qualitative Risk Assessment

You calculate relative values in this method. Risk analysis is usually conducted through a
combination of questionnaires and collaborative workshops involving people from a variety of groups
within the organization such as information security experts; information technology managers and staff;
business asset owners and users; and senior managers. The questionnaires are designed to discover what
assets and controls are already deployed, and the information gathered can be very helpful during the
workshops that follow. The information security experts and the system administrators typically come up
with controls to mitigate the risks for the group to consider and the approximate cost of each control.
Finally, the results are presented to management for consideration during a cost-benefit analysis.
The basic process for qualitative assessments is very similar to what happens in the quantitative
approach. The difference is in the details. Comparisons between the value of one asset and another are
relative, and participants do not invest a lot of time trying to calculate precise financial numbers for asset
valuation. The benefits of a qualitative approach are that it overcomes the challenge of calculating accurate
figures for asset value, cost of control and the process is much less demanding on staff.

Comparing the Two Approaches

Both qualitative and quantitative approaches to security risk management have their advantages
and disadvantages. Certain situations may call for organizations to adopt the quantitative approach. The
following table summarizes the benefits and drawbacks of each approach:
Quantitative Qualitative
Benefits ● Risks are prioritized by financial ● Enables visibility and
impact; assets are prioritized by understanding of risk ranking.
financial values. ● Easier to reach consensus.
● Results facilitate management of ● Not necessary to quantify
risk by return on security investment. threat frequency.
● Results can be expressed in ● Not necessary to determine
management-specific terminology financial values of assets.
(for example, monetary values and ● Easier to involve people who
probability expressed as a specific are not experts on security or
percentage). computers.
● Accuracy tends to increase over
time as the organization builds
historic record of data while gaining
experience.
Drawbacks ● Impact values assigned to risks are ● Insufficient differentiation
based on subjective opinions of between important risks.
participants. ● Difficult to justify investing in
● Process to reach credible results control implementation because
and consensus is very time there is no basis for a cost-
consuming. benefit analysis.

10
● Calculations can be complex and ● Results are dependent upon the
time consuming. quality of the risk management
● Results are presented in monetary team that is created.
terms only, and they may be difficult
for non-technical people to interpret.
● Process requires expertise, so
participants cannot be easily
coached through it.

11
LECTURE 3 - INFORMATION SECURITY POLICY

Policy: IS an essential foundation of effective information security program:

“The success of an information resources protection program depends on the policy
generated, and on the attitude of management toward securing information on
automated systems.
You, the policy maker, set the tone and the emphasis on how important a role
information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the
organization with the objectives of reduced risk, compliance with laws and regulations
and assurance of operational continuity, information integrity, and confidentiality.”

Why Policy?
A quality information security program begins and ends with policy
Policies are least expensive means of control and often the most difficult to implement
Some basic rules must be followed when shaping a policy:
● Never conflict with law
● Stand up in court
● Properly supported and administered
● Contribute to the success of the organization
● Involve end users of information systems
The Bulls-eye Model

Bulls-eye model layers:

● Policies: first layer of defense
● Networks: threats first meet organization’s network
● Systems: computers and manufacturing systems
● Applications: all applications systems

Policies are important reference documents for internal audits and for resolution of
legal disputes about management's due diligence. Policy documents can act as a clear
statement of management's intent
1
Policies, Standards, & Practices
Policy: plan or course of action that influences and determines decisions
Standards: more detailed statement of what must be done to comply with policy
Practices, procedures and guidelines: explain how employees will comply with policy

For policies to be effective, they must be:

● Properly disseminated
● Read
● Understood
● Agreed-to

Policies require constant modification and maintenance

In order to produce a complete information security policy, management must define
three types of information security policy:
● Enterprise information security program policy
● Issue-specific information security policies
● Systems-specific information security policies

2
Enterprise Information Security Policy (EISP)
Sets strategic direction, scope, and tone for organization’s security efforts
Assigns responsibilities for various areas of information security
Guides development, implementation, and management requirements of information
security program

EISP Elements
EISP documents should provide :
● An overview of corporate philosophy on security
● Information about information security organization and information security
roles
Issue-Specific Security Policy (ISSP)
● Provides detailed, targeted guidance to instruct organization in secure use of
technology systems
● Begins with introduction to fundamental technological philosophy of
organization
● Serves to protect employee and organization from inefficiency/ambiguity
● Documents how technology-based system is controlled
● Identifies processes and authorities that provide this control
● Serves to indemnify organization against liability for inappropriate or illegal
system use

Every organization’s ISSP should:

● Address specific technology-based systems
● Require frequent updates
● Contain an issue statement on the organization’s position on an issue

Systems-Specific Policy (SysSP)

● Systems-Specific Policies (SysSPs) frequently do not look like other types of
policy
● They may often be created to function as standards or procedures to be
used when configuring or maintaining systems
SysSPs can be separated into:
● Management guidance
● Technical specifications
● Combined in a single policy document
Management Guidance SysSPs
● Created by management to guide the implementation and configuration of
technology
● Applies to any technology that affects the confidentiality, integrity or
availability of information
● Informs technologists of management intent

3
 ● Technical Specifications SysSPs
● System administrators directions on implementing managerial policy
● Each type of equipment has its own type of policies

Two general methods of implementing such technical controls:

● Access control lists
● Configuration rules

Access Control Lists

● Include user access lists, matrices, and capability tables that govern rights
and privileges
● Can control access to file storage systems, object brokers or other network
communications devices
● Capability Table: similar method that specifies which subjects and objects
users or groups can access
● Specifications are frequently complex matrices, rather than simple lists or
tables
● Level of detail and specificity (often called granularity) may vary from
system to system
● ACLs enable administrations to restrict access according to user, computer,
time, duration, or even a particular file

ACLs
In general ACLs regulate:
● Who can use the system
● What authorized users can access
● When authorized users can access the system
● Where authorized users can access the system from
● How authorized users can access the system
● Restricting what users can access, e.g. printers, files, communications, and
applications
Administrators set user privileges, such as:
●
● Read
● Write
● Create
● Modify
● Delete
● Compare
● Copy

4
Configuration Rules
Configuration rules are specific configuration codes entered into security systems to
guide execution of system when information is passing through it
Rule policies are more specific to system operation than ACLs and may or may not deal
with users directly
Many security systems require specific configuration scripts telling systems what
actions to perform on each set of information processed

Combination SysSPs
● Often organizations create a single document combining elements of both
Management Guidance and Technical Specifications SysSPs
● While this can be confusing, it is very practical
● Care should be taken to articulate required actions carefully as procedures
are presented

Guidelines for Policy Development

It is often useful to view policy development as a two-part project
● Design and develop policy (or redesign and rewrite outdated policy)
● Establish management processes to perpetuate policy within organization

The Policy Project

● Policy development or re-development projects should be well planned,
properly funded, and aggressively managed to ensure completion on time
and within budget
● When a policy development project is undertaken, the project can be guided
by the SecSDLC process

Investigation Phase
The policy development team should:
1. Obtain support from senior management, and active involvement of IT
management, specifically CIO
2. Clearly articulate goals of policy project
3. Gain participation of correct individuals affected by recommended
policies
4. Be composed from Legal, Human Resources and end-users
5. Assign project champion with sufficient stature and prestige
6. Acquire a capable project manager
7. Develop detailed outline of and sound estimates for the cost and
scheduling of the project

Analysis Phase
Analysis phase should include the following activities:

5
1. New or recent risk assessment or IT audit documenting the current information
security needs of the organization
2. Key reference materials—including any existing policies

Design Phase
Design phase should include:
1. How policies will be distributed
2. How verification of distribution will be accomplished
3. Specifications for any automated tools
4. Revisions to feasibility analysis reports based on improved costs and benefits as
design is clarified

Implementation Phase
● Implementation Phase: writing the policies
● Make certain policies are enforceable as written
● Policy distribution is not always as straightforward
● Effective policy
1. Is written at a reasonable reading level
2. Attempts to minimize technical jargon and management terminology

Maintenance Phase
● Maintain and modify policy as needed to ensure that it remains effective as
a tool to meet changing threats
● Policy should have a built-in mechanism via which users can report
problems with the policy, preferably anonymously
● Periodic review should be built in to the process

The Information Security Policy Made Easy Approach (ISPME)

1. Gathering Key Reference Materials
2. Defining A Framework For Policies
3. Preparing A Coverage Matrix
4. Making Critical Systems Design Decisions
5. Structuring Review, Approval, And Enforcement Processes
Coverage Matrix

6
Guide for Developing Security Plans
1. Policies:
Living documents that constantly change and grow
Must be properly disseminated (distributed, read, understood and agreed to) and
managed
2. Good management practices for policy development and maintenance make for
a more resilient organization
In order to remain current and viable, policies must have:
● Individual responsible for reviews
● Schedule of reviews
● Method for making recommendations for reviews
● Indication of policy and revision date

Policies exist first, and foremost, to inform employees of what is and is not acceptable
behavior in the organization
Policy seeks to improve employee productivity, and prevent potentially embarrassing
situations

Exercise
a. Discuss the legal and regulatory considerations organizations should take into
account when developing their incident response plans.
b. Provide examples of laws or regulations that impact incident response.

7
LECTURE 4 - PLANNING FOR CONTINGENCIES

What Is Contingency Planning?

It is the overall planning for unexpected events is called contingency planning (CP)
It is how organizational planners position their organizations to prepare for, detect, react to, and
recover from events that threaten the security of information resources and assets
Main goal: restoration to normal modes of operation with minimum cost and disruption to normal
business activities after an unexpected event

Contingency Planning Components

Incident response planning (IRP) focuses on immediate response
Disaster recovery planning (DRP) focuses on restoring operations at the primary site after disasters
occur
Business continuity planning (BCP) facilitates establishment of operations at an alternate site

To ensure continuity across all processes during planning process, contingency planners should:
● Identify the mission- or business-critical functions
● Identify resources that support critical functions
● Anticipate potential contingencies or disasters
● Select contingency planning strategies
● Implement selected strategy
● Test and revise contingency plans

CP Operations
Four teams are involved in contingency planning and contingency operations:
● CP team
● Incident recovery (IR) team
● Disaster recovery (DR) team
● Business continuity plan (BC) team
Components of Contingency Planning

Incident Response Plan

Incident Response Plan (IRP): Is a detailed set of processes and procedures that anticipate, detect,
and mitigate the impact of an unexpected event that might compromise information resources and
assets
Incident response (IR): Set of procedures that commence when an incident is detected
When a threat becomes a valid attack, it is classified as an information security incident if:
● It is directed against information assets
● It has a realistic chance of success
● It threatens the confidentiality, integrity, or availability of information assets
It is important to understand that IR is a reactive measure, not a preventative one

During the Incident

● Planners develop and document the procedures that must be performed during the incident
● These procedures are grouped and assigned to various roles
● Planning committee drafts a set of function-specific procedures

After the Incident

● Once the procedures for handling an incident are drafted, planners develop and document
the procedures that must be performed immediately after the incident has ceased
● Separate functional areas may develop different procedures
● Before the Incident
● Planners draft a third set of procedures, those tasks that must be performed in advance of
the incident
Include:
● Details of data backup schedules
● Disaster recovery preparation
● Training schedules
● Testing plans
● Copies of service agreements
● Business continuity plans

Preparing to Plan
Planning requires detailed understanding of information systems and threats they face
IR planning team seeks to develop pre-defined responses that guide users through steps needed to
respond to an incident
Pre-defining incident responses enables rapid reaction without confusion or wasted time and effort
IR team consists of professionals capable of handling information systems and functional areas
affected by an incident
Each member of the IR team must:
Know his or her specific role
Work in concert with each other
Execute the objectives of the IRP

Incident Detection
Challenge is determining whether an event is routine system use or an actual incident
Incident classification: process of examining a possible incident and determining whether or not it
constitutes actual incident
Initial reports from end users, intrusion detection systems, host- and network-based virus
detection software, and systems administrators are all ways to track and detect incident
candidates
Careful training allows everyone to relay vital information to the IR team

Possible Incident Indicators

 Presence of unfamiliar files
Presence or execution of unknown programs or processes
Unusual consumption of computing resources
Unusual system crashes
Probable Indicators
Activities at unexpected times
Presence of new accounts
Reported attacks
Notification from IDS
Definite Indicators
Use of dormant accounts
Changes to logs
Presence of hacker tools
Notifications by partner or peer
Notification by hacker

Occurrences of Actual Incidents

Loss of availability
Loss of integrity
Loss of confidentiality
Violation of policy
Violation of law

Incident Response
Once an actual incident has been confirmed and properly classified, the IR team moves from
detection phase to reaction phase
In the incident response phase, a number of action steps taken by the IR team and others must
occur quickly and may occur concurrently
These steps include notification of key personnel, the assignment of tasks, and documentation of
the incident

Notification of Key Personnel

As soon as incident is declared, the right people must be immediately notified in the right order
Alert roster: document containing contact information of individuals to be notified in the event of
actual incident either sequentially or hierarchically
Alert message: scripted description of incident
Other key personnel: must also be notified only after incident has been confirmed, but before media
or other external sources learn of it

Documenting an Incident
As soon as an incident has been confirmed and the notification process is underway, the team
should begin documentation
Should record the who, what, when, where, why and how of each action taken while the
incident is occurring
Serves as a case study after the fact to determine if right actions were taken and if they were
effective
Can also prove the organization did everything possible to deter the spread of the incident
Incident Containment Strategies
Essential task of IR is to stop the incident or contain its impact
Incident containment strategies focus on two tasks:
Stopping the incident
Recovering control of the systems
IR team can stop the incident and attempt to recover control by means of several strategies:
Disconnect affected communication circuits
Dynamically apply filtering rules to limit certain types of network access
Disable compromised user accounts
Reconfigure firewalls to block problem traffic
Temporarily disable compromised process or service
Take down conduit application or server
Stop all computers and network devices

Incident Escalation
An incident may increase in scope or severity to the point that the IRP cannot adequately contain
the incident
Each organization will have to determine, during the business impact analysis, the point at which
the incident becomes a disaster
The organization must also document when to involve outside response

Initiating Incident Recovery

Once the incident has been contained, and system control regained, incident recovery can begin
IR team must assess full extent of damage in order to determine what must be done to restore
systems
Immediate determination of the scope of the breach of confidentiality, integrity, and availability of
information and information assets is called incident damage assessment
Those who document the damage must be trained to collect and preserve evidence, in case the
incident is part of a crime or results in a civil action

Recovery Process
Once the extent of the damage has been determined, the recovery process begins:
Identify and resolve vulnerabilities that allowed incident to occur and spread
Address, install, and replace/upgrade safeguards that failed to stop or limit the incident, or
were missing from system in the first place
Evaluate monitoring capabilities (if present) to improve detection and reporting methods, or
install new monitoring capabilities
Restore data from backups as needed
Restore services and processes in use where compromised (and interrupted) services and
processes must be examined, cleaned, and then restored
Continuously monitor system
Restore the confidence of the members of the organization’s communities of interest

After Action Review

Before returning to routine duties, the IR team must conduct an after-action review, or AAR
AAR: detailed examination of events that occurred
All team members:
Review their actions during the incident
 Identify areas where the IR plan worked, didn’t work, or should improve

Law Enforcement Involvement

When incident violates civil or criminal law, it is organization’s responsibility to notify proper
authorities
Selecting appropriate law enforcement agency depends on the type of crime committed: Federal,
State, or Local
Involving law enforcement has both advantages and disadvantages:
Usually much better equipped at processing evidence, obtaining statements from witnesses,
and building legal cases
However, involvement can result in loss of control of chain of events following an incident

Disaster Recovery
Disaster recovery planning (DRP) is the preparation for and recovery from a disaster, whether natural
or man made
In general, an incident is a disaster when:
organization is unable to contain or control the impact of an incident
OR
level of damage or destruction from incident is so severe, the organization is unable to
quickly recover

Disaster Classifications
A DRP can classify disasters in a number of ways
Most common method: separate natural disasters from man-made disasters
Another way: by speed of development
Rapid onset disasters
Slow onset disasters

Planning for Disaster

Scenario development and impact analysis are used to categorize the level of threat of each potential
disaster
DRP must be tested regularly
Key points in the DRP:
Clear delegation of roles and responsibilities
Execution of alert roster and notification of key personnel
Clear establishment of priorities
Documentation of the disaster
Action steps to mitigate the impact
Alternative implementations for various systems components

Crisis Management.
Crisis management: set of focused steps taken during and after a disaster that deal primarily with
people involved
Crisis management team manages event:
Supporting personnel and their loved ones during crisis
Determining event's impact on normal business operations
When necessary, making a disaster declaration
Keeping public informed about event
 Communicating with outside parties
Two key tasks of crisis management team:
Verifying personnel status
Activating alert roster

Responding to the Disaster

Actual events often outstrip even best of plans
To be prepared, Disaster Recovery Plan should be flexible
If physical facilities are intact, begin restoration there
If organization’s facilities are unusable, take alternative actions
When disaster threatens organization at the primary site, Disaster Recovery Plan becomes Business
Continuity Planning BCP

Business Continuity Planning (BCP)

Ensures critical business functions can continue in a disaster
Most properly managed by CEO of organization
Activated and executed concurrently with the DRP when needed
Reestablishes critical functions at alternate site (DRP focuses on reestablishment at primary site)
Relies on identification of critical business functions and the resources to support them

Continuity Strategies
Several continuity strategies for business continuity
Determining factor is usually cost
Three exclusive-use options:
Hot sites
Warm sites
Cold sites
Three shared-use options:
Timeshare
Service bureaus
Mutual agreements

Off-Site Disaster Data Storage

To get any BCP site running quickly, organization must be able to recover data
Options include:
Electronic vaulting: bulk batch-transfer of data to an off-site facility
Remote Journaling: transfer of live transactions to an off-site facility
Database shadowing: storage of duplicate online transaction data
Overview

Business Impact Analysis (BIA)

BIA
Provides information about systems/threats and detailed scenarios for each potential attack
Not risk management focusing on identifying threats, vulnerabilities, and attacks to
determine controls
 Assumes controls have been bypassed or are ineffective and attack was successful
CP team conducts BIA in the following stages:
Threat attack identification
Business unit analysis
Attack success scenarios
Potential damage assessment
Subordinate plan classification

Major Tasks in Contingency Planning

Attack Success Scenario Development

Scenarios depicting impact of successful attack are done on each functional area
Attack profiles should include scenarios depicting typical attack including:
Methodology
Indicators
broad consequences
More details are added including alternate outcomes—best, worst, and most likely

Potential Damage Assessment

From detailed scenarios, the BIA planning team must estimate the cost of the best, worst, and most
likely outcomes by preparing an attack scenario end case
This will allow identification of what must be done to recover from each possible case

Combining the DRP and the BCP

Because DRP and BCP are closely related, most organizations prepare them concurrently and may
combine them into a single document
Such a comprehensive plan must be able to support reestablishment of operations at two different
locations
Immediately at alternate site
Eventually back at primary site
Therefore, although a single planning team can develop combined DRP/BRP, execution requires
separate teams

Testing Contingency Plans

Once problems are identified during the testing process, improvements can be made, and the
resulting plan can be relied on in times of need
There are five testing strategies that can be used to test contingency plans:
Desk Check
Structured walkthrough
Simulation
Parallel testing
Full interruption
Continuous Improvement
Iteration results in improvement
A formal implementation of this methodology is a process known as continuous process
improvement (CPI)
Each time plan is rehearsed, it should be improved
Constant evaluation and improvement leads to an improved outcome
LECTURE 5 Telecommunications, Network, and Internet Security
The OSI model addresses the following security issues:-
OSI Model and Security
Security Mechanisms used in networks
Encipherment
Digital signature
Access control
Data integrity
Authentication
Traffic padding
Routing protocol
Basic Network Security Infrastructures

Layer Function Network Protocols or Standards

Device
7: Application Provides services such as HTTP, FTP, TFTP, DNS, SMTP,
email, file transfers and file SFTP, SNMP, RLogin, BootP,
servers MIME
6: Presentation Provides encryption, code MPEG, JPEG, TIFF
conversion and data
formatting
5: Session Negotiates and establishes a Gateways SQL, X- Window, ASP, DNA, SCP,
connection with another NFS, RPC
computer
4: Transport Supports end-to-end delivery Gateway TCP, UDP, SPX
of data
3: Network Performs packet routing Router IP, OSPF, ICMP, RIP, ARP, RARP
2: Data link Provides error checking and Switch Ethernet, Token Ring, 802.11
transfer of message frames
1: Physical Physically interfaces with Hub EIA RS-232, EIA RS-449, IEEE,
transmission medium and 802
sends data over the network

Router
A network traffic management device that, unbeknownst to the user, sits between
subnetworks (LANs) and routes traffic intended for or leaving the network segments to
which it’s attached

Packet Filter
A simple and effective form of protection that matches all packets against a series of
rules
Basic Packet Filtering
● Allows communication originating from one side of the communication path or the
other
● Identifies and controls traffic by examining the source, destination, port number, and
protocol types
 Stateful Inspection Packet Filtering
● A more complex packet-filtering technology that keeps track of the state of the
current connection to help assure that only desired traffic passes through

Benefits of Packet-Filtering Routers

● Little or no cost to implement because packet filtering is a feature of standard
routers
● Little impact on router performance
● Generally transparent to users and applications

Limitations of Packet-Filtering Routers

● Defining packet filters can be a complex task
● The filtering rule set can become complicated, increasing in difficulty to manage
and comprehend
● There are few testing facilities to verify the correctness of the filtering rules
● The packet throughput of a router decreases as the number of filters increase
● It is not capable of understanding the context/data of a particular service

Firewalls
●Firewalls typically run monitoring software to detect and thwart external attacks on the
site and protect the internal corporate network
●Firewalls are an essential device for network security
●Many of the architectures needed for security rely on one or more firewalls within an
intelligent design

Application-Level Gateway Firewall

● Allows the network administrator to implement stricter security policies than packet-
filtering routers can manage
● Requires special-purpose code (a proxy service) for each desired application
● The proxy code can be configured to support only acceptable features of an
application
● Users are permitted access to the proxy services, but may not log in to the
application-level gateway itself

Benefits of Application-Level Gateways

● The network manager has complete control over each service and permitted services
● It has the ability to support strong user authentication and provide detailed logging
information
● The filtering rules are much easier to configure and test

Limitations of Application-Level Gateways

● It requires either that users modify their behavior or that specialized software be
installed on each system that accesses proxy services
● Firewall Implementation Examples
 1. Packet-Filter Router
● Inexpensive and transparent to users
● Inherent limitations of a packet-filtering router
2. Screened Host Firewalls
a. Public information server can be placed on the segment shared by the
packet-filtering router and the bastion host

3. DMZ or Screened-Subnet Firewall

Private network is invisible
Inside users must access the Internet via the proxy services

Intrusion Detection Systems (IDS)

●IDSs attempt to detect an intruder breaking into systems or an authorized user misusing
system resources
●IDSs are needed to detect both types of intrusions
● Break-in attempts from the outside
● Knowledgeable insider attacks
Two basic philosophical options
1. Prohibit everything that is not expressly permitted
2. Permit everything that is not expressly denied

A Good Intrusion Detection System must

● run continually without human supervision
● be fault tolerant
● resist subversion
● impose minimal overhead on the attached network
● observe deviations from normal behavior
● be easily tailored to the network
● cope with changing system behavior
False Positives, False Negatives, and Subversion Attacks
A false positive occurs when the system classifies an action as anomalous when it is
legitimate
A false negative occurs when an intrusive action has occurred but the system allows it
to pass as nonintrusive behavior
A subversion error occurs when an intruder modifies the operation of the intrusion
detector to force false negatives to occur

Virtual Private Networks (VPNs)

● VPN is a network technology that makes it possible to establish private “tunnels”
over the public Internet
● IP security (IPSec) operates at both the Network Layer and Session Layer of the
TCP/IP protocol stack
● IPSec VPNs are the most common form in use today and are widely available from
network and firewall providers

IPsec - Performs both encryption and authentication to address the inherent lack of
security on IP-based networks

Three characteristics - Sender authentication, message integrity, and data confidentiality

SECURING MULTI-PLATFORM SYSTEMS

Networks are increasingly heterogeneous, containing different types of hardware and

software and running multiple operating systems that all need to be able to
communicate with one another.
There are fewer and fewer pure Windows (or pure UNIX) shops, with many companies
running Windows domains side-by-side with UNIX web servers, accessed by client
computers running Windows, Linux and Mac. Add to the mix a variety of smart phones
(Windows Mobile, iPhone, Android, Symbian and more) that need to download mail and
possibly access other network resources, and you have a real challenge.
The same basic security concepts apply to both heterogeneous and homogeneous
networks, so it goes without saying that, regardless of the platform(s), you should:
● Secure the edge with a good firewall/threat management gateway and intrusion
detection/prevention system
● Use anti-virus and anti-malware software (including on non-Windows systems)
and keep definitions updated
● Implement security auditing/monitoring to detect attempted breaches
● Harden systems by turning off unnecessary services
● Close unused ports
● Restrict physical access to the systems
● Restrict administrative/root access to those who really need it; on UNIX systems,
restrict root access to secure terminals
 ● Implement file level permissions; on UNIX systems, partition the file system and
use read-only partitions for storing files that don’t change often, and use ACLs
(Access Control Lists) for complex permissions management
● On UNIX systems, limit the access processes have on the file system by using
the chroot and ulimit interfaces
● Enforce strong password policies
● In high security environments, require two-factor authentication
● On UNIX systems, use SSH (Secure Shell) for remote command line access
● Use encryption: to protect files on the drive, to protect data crossing the network,
to protect the operating system from unauthorized access
● Implement a public key infrastructure to issue digital certificates
Hire an outside security auditor
A third party security audit can be useful to evaluate and advise on the security
implementation in any complex network, but that goes double for a heterogeneous
network. A company that does security audits for a living will have personnel
experienced in reviewing many different types of systems and will be current on new
vulnerabilities and new solutions that your IT personnel may not have the time to keep
up with. They can perform penetration testing for a real-world assessment of where the
vulnerabilities lie, and they can advise you on the most effective and most cost-effective
ways to close the gaps.

Summary
1. The Telecommunications, Network, and Internet Security domain is one of the most
important areas that security practitioners must understand well
2. We can begin to mix and match the building blocks of network security tools and
techniques to implement defense in depth in preserving confidentiality, integrity, and
availability
3. It is important to know how to find security information and how to decide which
security architecture is most appropriate for a given situation
LECTURE 6 : Network Security Audit

A network audit is a formal or informal inventory, assessment, and analysis of your

network’s hardware, software, operating systems, servers, and users.

Network audits typically check:

● All network infrastructure and internet-accessible systems
● The security mechanisms activated to protect the network
● The practices used for day-to-day network management

Network security best practices for threat detection and response

Baseline network protocols and monitor usage.

Establish the baseline usage of different protocols on your wired and wireless networks.
To create an accurate baseline, data should be gathered from a variety of sources
including routers, switches, firewalls, wireless access points, network sniffers and
dedicated data collectors. Then monitor for deviations from these baselines, which can
be indicative of data tunneling, malicious software transmitting data to unauthorized
destinations, and other threats.

Use honeypots and honeynets.

A honeypot is a decoy system designed to look like a real network asset, and a honeynet
is a network of honeypots that simulates a larger, more complex network environment.
They are designed to lure adversaries into interacting with them, both to divert malicious
actors from true assets and to enable security teams to study attack techniques and
gather other intelligence for effective threat management.

Use intrusion detection and prevention systems.

It is vital to monitor and log activity across the network and analyze it to spot unusual
logins, suspicious computer events and other anomalies.
An intrusion detection system (IDS) monitors network data flows for potentially malicious
activity and alerts administrators about anomalies.
An intrusion prevention system (IPS) also monitors network traffic for threats; however, in
addition to alerting administrators, it can automatically take action to block or mitigate
threats.
These tools can be a valuable part of your network security strategy. For example, by
comparing current activity to an established baseline, they could spot a spike in network
activity that could indicate a ransomware or SQL injection attack.
They can also use attack signatures — characteristic features common to a specific
attack or pattern of attacks — to spot attacks that don’t generate activity that violates
your organization’s baseline.

Automate response to attacks when appropriate.

Many modern security tools can be configured to respond automatically to known threats.
For example, these systems can:
● Block IP address — An IPS or firewall can block the IP address from which the attack
originated. This option is very effective against phishing and denial-of-service attacks.
However, some attackers spoof the source IP address during attacks, so the wrong
address will be blocked.
● Terminate connections — Routers and firewalls can be configured to disrupt the
connections that an intruder maintains with the compromised system by targeting
RESET TCP packets at the attacker.
● Acquire additional information — Tools can also collect valuable information that
help determine such the point of initial access, which accounts were compromised,
how the intruders moved across the network and what data was compromised.

Use multiple vendors.

Using solutions from different vendors bolsters cyber resilience by reducing the risk
associated with a single point of failure — if a solution from one vendor is compromised,
the presence of solutions from other vendors helps maintain the defensive shield. This
approach also enables greater adaptability in response to evolving threats and security
requirements. More broadly, it can lead to competitive pricing and drive innovation, as
vendors strive to offer the most advanced and cost-effective solutions.

The OSI Model

The OSI (Open Systems Interconnection) model is an established framework for network
systems. It comprises seven layers, from physical hardware to application-level
interactions:

What A Network Security Assessment Checklist Should Look Like

Doing things are a lot easier if you have some sort of guide to help you. This applies to
network security as well. Knowing the strengths and weaknesses of your network is
important. Using a network security assessment checklist gives you direction.

Here are the details one could expect in a network security assessment checklist:
Things to Description
 check for
Make sure This is a standard physical security procedure. Someone sneaking in your
all security business premises can do malicious things on your network.
or Having security cameras everywhere will prevent an attacker from entering
surveillanc your business premises. A network security assessment checklist should
e cameras always include this detail on it.
are
working.
Check if This is very important for the physical security of your network. A sample
your keyless entry system is a door using biometrics for authentication. An
keyless intruder can’t enter your building without verifying their identity first.
entry A network security assessment checklist should also include this detail on
systems it.
are
working.
Lock This is a standard computer security procedure that most people do not
computers follow. The importance of locking your PC is that no one could use it other
when not than you.
in use. You should always lock your workstation if you are going away from it like
when taking breaks. One of the major threats to information security is the
insider threats.
These are the employees who are negligent and don’t follow security
policies. They are the security risks that are outside the scope of a network
assessment tool.
A network security assessment checklist must always include this security
procedure on it.
Test the Your anti-malware software should be capable of detecting, removing, and
capability preventing various threats. This includes the following:
of your ● Viruses
antimalwar ● Trojans
e software. ● Worms
● Rootkits
● Spyware
● Adware
● Ransomware
Also, consider the variations of these threats and zero-day attacks. A
network security assessment checklist should always contain this security
procedure on it.
Check for Block adult sites, gaming sites, and social media sites. This should be in
web align with your company’s security policies. These sites should be
content. inaccessible by default.
Browsing these sites also reduces productivity and increases security
risks. Clicking on links especially on adult sites will trigger a malware
infection.
A network security assessment checklist should always include this
security procedure.
Try Test if your firewall is effective at doing its job. It should react to any
working suspicious and malicious activity. Upon threat detection, it should notify
around you right away.
your There are a lot of tools out there to test the strength of a firewall. It is a
firewall. matter of preference which one best fits your business needs.
It is necessary to include this detail in a network security assessment
checklist.
Use a This procedure gives programs and processes access to network
whitelistin resources. A whitelist can contain the following:
g approach ● applications
● email addresses
● IP addresses
All the elements in the whitelist have access to network resources. Things
not on the list do not have permission. The logic here is to deny all and
permit some.
Whitelisting is an important thing to add in your network security
assessment checklist.
Patch Cybercriminals always target outdated software. They exploit the
manageme weaknesses while the software vendor is preparing a patch.
nt It is necessary to update the software components of your network.
Patching them will fix the bugs and vulnerabilities.
Patching is a vital process to include in a network security assessment
checklist.

Check list
1. General
√ A written Network Security Policy that lists the rights and responsibilities of all
staff, employees, and consultants
√ Security Training for all users regarding the use of the Network Environment and
sharing data outside the company as well as allowing anybody to access their
systems
√ Make sure users have been trained regarding the sharing of information by email
and the Internet
√ All outside vendors and contractors need to sign a security agreement while they
are working in your environment
√ Have contingency plans in place for if and when there is a data breach or
security breach.
2. Password Security
√ Written password policy
√ Password Training for all authorized users to ensure they understand the
potential risks of using passwords in an insecure way
√ Inspect Workstations for written passwords in the user or server areas
√ Keep password requirements documentation in a safe place
3. LAN Security
√ Hardening of servers on the internal network, removing unnecessary services
and applications
√ Keeping unnecessary files off of servers
 √ Server permissions set appropriately for users
√ No anonymous users allowed
√ Share the functions of server administration between administrators
√ Remote administration policy
●Disable Remote Administration where it isn’t needed
√ Remote Access Security policy and implementation
√ Rename Administrator Account
√ Enable auditing of Administrator login attempts
√ Create extra-strong passwords for Administrator accounts
√ Passwords for server administration accounts should be different than
workstation user accounts for the same users
√ Disable Guest Account
√ Restrict Access to the Everyone Group
√ Create appropriate user and group accounts
√ Set appropriate group access permissions
√ Configure audit logs to track unauthorized access of files/systems/folders/
accounts
√ Configure patch management or scheduled download and application of the
operating system and security patches
√ Ensure Wireless Network security is configured properly, including the use of
wireless security protocols
4. Workstation Logons
√ Screen Locks on all computers
√ Require passwords on all computers, including screen lock recovery
√ Consider using two-factor authentication
√ Harden workstations, removing unnecessary applications and programs
√ Anti-virus software installed and disable circumnavigating
√ Ensure anti-virus updates are occurring regularly
√ Ensure software updates are occurring regularly
√ Ensure the operating system and security patches are occurring regularly
√ Pop-up blockers enabled
5. Mobile Devices
√ An IT security policy or BYOD policy (Bring Your Own Device) needs to be in
place for mobile devices that are used on the network
√ Enforcement of the mobile device policies needs to be decided on and enforced
√ Wireless access points need to be secure
6. Network Equipment Security
√ Configure audit logs to monitor access
√ Document configuration working configuration settings in case of failure
√ Document user accounts/passwords for accessing these devices and put them
in a safe place
√ Make sure that firmware upgrades occur regularly
7. Router/Firewall Security
√ Use a firewall and make sure that all public-facing services are on a separate
network segment or DMZ (email, FTP, web, for example) for intrusion prevention.

√ Make sure that all externally sourced IP addresses are not allowed inside the
LAN, but only to the DMZ
√ Configure firewall policies to deny inbound access to unused ports
√ Review all firewall policies for potential security risks
√ Implement network address translation (NAT) where possible
√ Use stateful packet inspection on the firewall, preventing IP address spoofing
and DOS attacks.
√ Make sure the router and firewall software is updated regularly
√ Make sure the router and firewall firmware is updated regularly
√ Consider having penetration testing performed for further weakness exposure
LECTURE 7: OPERATING SYSTEMS SECURITY

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and
availability.
OS security refers to specified steps or measures used to protect the OS from threats, viruses,
worms, malware or remote hacker intrusions. OS security encompasses all preventive-control
techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS
security is compromised.

Operating system consists of a collection of objects, hardware or software

● Each object has a unique name and can be accessed through a well-defined set of
operations (hopefully)
● Protection and security problem - ensure that each object is accessed correctly and only by
those processes of authorized users that are allowed to do so
● OS designer faces challenge of creating a protection scheme that cannot be bypassed by
any software that may be created in the future
● Networking adds to the problem as it allows access to a computer and its resources
without being in the same physical location

OS security may be approached in many ways, including adherence to the following:

● Performing regular OS patch updates
● Installing updated antivirus engines and software
● Scrutinizing all incoming and outgoing network traffic through a firewall
● Creating secure accounts with required privileges only (i.e., user management)

Authentication
Authentication refers to identifying the each user of the system and associating the executing
programs with those users. It is the responsibility of the Operating System to create a protection
system which ensures that a user who is running a particular program is authentic. Operating
Systems generally identifies/ authenticates users using following three ways:
● Username / Password - User need to enter a registered username and password with
Operating system to login into the system.
● User card/key - User need to punch card in card slot, or enter key generated by key
generator in option provided by operating system to login into the system.
● User attribute - fingerprint/ eye retina pattern/ signature - User need to pass his/her
attribute via designated input device used by operating system to login into the system.
One Time passwords
One time passwords provides additional security along with normal authentication. In One-Time
Password system, a unique password is required every time user tries to login into the system. Once
a one-time password is used then it can not be used again. One time password are implemented in
various ways.
● Random numbers - Users are provided cards having numbers printed along with
corresponding alphabets. System asks for numbers corresponding to few alphabets
randomly chosen.
● Secret key - User are provided a hardware device which can create a secret id mapped with
user id. System asks for such secret id which is to be generated every time prior to login.
● Network password - Some commercial applications send one time password to user on
registered mobile/ email which is required to be entered prior to login.
Threats in securing operating systems
Some of the most common types of violations include:
● Breach of Confidentiality - Theft of private or confidential information, such as credit-card
numbers, trade secrets, patents, secret formulas, manufacturing procedures, medical
information, financial information, etc.
● Breach of Integrity - Unauthorized modification of data, which may have serious indirect
consequences. For example a popular game or other program's source code could be
modified to open up security holes on users systems before being released to the public.
● Breach of Availability - Unauthorized destruction of data, often just for the "fun" of causing
havoc and for bragging rites. Vandalism of web sites is a common form of this violation.
● Theft of Service - Unauthorized use of resources, such as theft of CPU cycles, installation of
daemons running an unauthorized file server, or tapping into the target's telephone or
networking services.
● Denial of Service, DOS - Preventing legitimate users from using the system, often by
overloading and overwhelming the system with an excess of requests for service.

There are four levels at which a system must be protected:

1. Physical - The easiest way to steal data is to pocket the backup tapes. Also, access to the
root console will often give the user special privileges, such as rebooting the system as root
from removable media. Even general access to terminals in a computer room offers some
opportunities for an attacker, although today's modern high-speed networking environment
provides more and more opportunities for remote attacks.
2. Human - There is some concern that the humans who are allowed access to a system be
trustworthy, and that they cannot be coerced into breaching security. However more and
more attacks today are made via social engineering, which basically means fooling
trustworthy people into accidentally breaching security.
●Phishing involves sending an innocent-looking e-mail or web site designed to fool
people into revealing confidential information. E.g. spam e-mails pretending to be
from e-Bay, PayPal, or any of a number of banks or credit-card companies.
●Dumpster Diving involves searching the trash or other locations for passwords that are
written down. ( Note: Passwords that are too hard to remember, or which must be
changed frequently are more likely to be written down somewhere close to the user's
station. )
●Password Cracking involves divining users passwords, either by watching them type in
their passwords, knowing something about them like their pet's names, or simply
trying all words in common dictionaries.
3. Operating System - The OS must protect itself from security breaches, such as runaway
processes ( denial of service ), memory-access violations, stack overflow violations, the
launching of programs with excessive privileges, and many others.
4. Network - As network communications become ever more important and pervasive in
modern computing environments, it becomes ever more important to protect this area of the
system. ( Both protecting the network itself from attack, and protecting the local system
from attacks coming in through the network. ) This is a growing area of concern as wireless
communications and portable devices become more and more prevalent.

Program Threats
Operating system's processes and kernel do the designated task as instructed. If a user program
made these process do malicious tasks then it is known as Program Threats.
Following is the list of some well known program threats.
● Trojan Horse - Such program traps user login credentials and stores them to send to
malicious user who can later on login to computer and can access system resources.
● Trap Door - If a program which is designed to work as required, have a security hole in its
code and perform illegal action without knowledge of user then it is called to have a trap door.
● Logic Bomb - Logic bomb is a situation when a program misbehaves only when certain
conditions met otherwise it works as a genuine program. It is harder to detect.
● Virus - Virus as name suggest can replicate themselves on computer system .They are
highly dangerous and can modify/delete user files, crash systems. A virus is generatlly a
small code embedded in a program. As user accesses the program, the virus starts getting
embedded in other files/ programs and can make system unusable for user.
● Spyware is a version of a Trojan Horse that is often included in "free" software downloaded
off the Internet. Spyware programs generate pop-up browser windows, and may also
accumulate information about the user and deliver it to some central site. ( This is an
example of covert channels, in which surreptitious communications occur. ) Another
common task of spyware is to send out spam e-mail messages, which then purportedly come
from the infected user.

System Threats
System threats refers to misuse of system services and network connections to put user in trouble.
System threats can be used to launch program threats on a complete network called as program
attack. System threats creates such an environment that operating system resources/ user files are
mis-used. Following is the list of some well known system threats.
● Worm -Worm is a process which can choked down a system performance by using system
resources to extreme levels.A Worm process generates its multiple copies where each copy
uses system resources, prevents all other processes to get required resources. Worms
processes can even shut down an entire network.
● Port Scanning - Port scanning is a mechanism or means by which a hacker can detects
system vulnerabilities to make an attack on the system. Port Scanning is technically not an
attack, but rather a search for vulnerabilities to attack. The basic idea is to systematically
attempt to connect to every known ( or common or possible ) network port on some remote
machine, and to attempt to make contact. Once it is determined that a particular computer is
listening to a particular port, then the next step is to determine what daemon is listening, and
whether or not it is a version containing a known security flaw that can be exploited.
● Because port scanning is easily detected and traced, it is usually launched from zombie
systems, i.e. previously hacked systems that are being used without the knowledge or
permission of their rightful owner. For this reason it is important to protect "innocuous"
systems and accounts as well as those that contain sensitive information or special
privileges.
● Denial of Service - Denial of service attacks normally prevents user to make legitimate use of
the system. For example user may not be able to use internet if denial of service attacks
browser's content settings.
Some of the forms of viruses include:
●File - A file virus attaches itself to an executable file, causing it to run the virus code first
and then jump to the start of the original program. These viruses are termed parasitic,
because they do not leave any new files on the system, and the original program is
still fully functional.
●Boot - A boot virus occupies the boot sector, and runs before the OS is loaded. These
 are also known as memory viruses, because in operation they reside in memory, and do
not appear in the file system.
●Macro - These viruses exist as a macro ( script ) that are run automatically by certain
macro-capable programs such as MS Word or Excel. These viruses can exist in word
processing documents or spreadsheet files.
●Source code viruses look for source code and infect it in order to spread.
●Polymorphic viruses change every time they spread - Not their underlying functionality,
but just their signature, by which virus checkers recognize them.
●Encrypted viruses travel in encrypted form to escape detection. In practice they are self-
decrypting, which then allows them to infect other files.
●Stealth viruses try to avoid detection by modifying parts of the system that could be
used to detect it. For example the read( ) system call could be modified so that if an
infected file is read the infected part gets skipped and the reader would see the
original unadulterated file.
●Tunneling viruses attempt to avoid detection by inserting themselves into the interrupt
handler chain, or into device drivers.
●Multipartite viruses attack multiple parts of the system, such as files, boot sector, and
memory.
●Armored viruses are coded to make them hard for anti-virus researchers to decode and
understand. In addition many files associated with viruses are hidden, protected, or
given innocuous looking names such as "...".
● In 2004 a virus exploited three bugs in Microsoft products to infect hundreds of Windows
servers ( including many trusted sites ) running Microsoft Internet Information Server, which
in turn infected any Microsoft Internet Explorer web browser that visited any of the infected
server sites. One of the back-door programs it installed was a keystroke logger, which records
users keystrokes, including passwords and other sensitive information.
● There is some debate in the computing community as to whether a monoculture, in which
nearly all systems run the same hardware, operating system, and applications, increases the
threat of viruses and the potential for harm caused by them.

Password Vulnerabilities
● Passwords can be guessed.
●Intelligent guessing requires knowing something about the intended target in specific,
or about people and commonly used passwords in general.
●Brute-force guessing involves trying every word in the dictionary, or every valid
combination of characters. For this reason good passwords should not be in any
dictionary ( in any language ), should be reasonably lengthy, and should use the full
range of allowable characters by including upper and lower case characters,
numbers, and special symbols.
● "Shoulder surfing" involves looking over people's shoulders while they are typing in their
password.
●Even if the lurker does not get the entire password, they may get enough clues to
narrow it down, especially if they watch on repeated occasions.
●Common courtesy dictates that you look away from the keyboard while someone is
typing their password.
●Passwords echoed as stars or dots still give clues, because an observer can determine
how many characters are in the password. :-(
● "Packet sniffing" involves putting a monitor on a network connection and reading data
 contained in those packets.
●SSH encrypts all packets, reducing the effectiveness of packet sniffing.
●However you should still never e-mail a password, particularly not with the word
"password" in the same message or worse yet the subject header.
●Beware of any system that transmits passwords in clear text. ( "Thank you for signing
up for XYZ. Your new account and password information are shown below". ) You
probably want to have a spare throw-away password to give these entities, instead of
using the same high-security password that you use for banking or other confidential
uses.
Protected Objects
The rise of multiprogramming meant that several aspects of a computing system required
protection.
● memory
● sharable I/O devices, such as disks
● serially reusable I/O devices, such as printers and tape drives
● sharable programs and subprocedures
● networks
● sharable data
As it assumed responsibility for controlled sharing, the operating system had to protect these
objects.

Security Methods of Operating Systems

The basis of protection is separation: keeping one user's objects separate from other users.
Separation in an operating system can occur in several ways.
● Physical separation , in which different processes use different physical objects, such as
separate printers for output requiring different levels of security
● Temporal separation , in which processes having different security requirements are
executed at different times
● Logical separation , in which users operate under the illusion that no other processes exist,
as when an operating system constrains a program's accesses so that the program cannot
access objects outside its permitted domain
● Cryptographic separation , in which processes conceal their data and computations in such
a way that they are unintelligible to outside processes
Combinations of two or more of these forms of separation are also possible.
● The first two approaches are very stringent and can lead to poor resource utilization.
Therefore, we would like to shift the burden of protection to the operating system to allow
concurrent execution of processes having different security needs.

There are several ways an operating system can assist, offering protection at any of several levels.
● Do not protect . Operating systems with no protection are appropriate when sensitive
procedures are being run at separate times.
● Isolate . When an operating system provides isolation, different processes running
concurrently are unaware of the presence of each other. Each process has its own address
space, files, and other objects. The operating system must confine each process somehow,
so that the objects of the other processes are completely concealed.
● Share all or share nothing . With this form of protection, the owner of an object declares it to
be public or private. A public object is available to all users, whereas a private object is
available only to its owner.
 ● Share via access limitation . With protection by access limitation, the operating system
checks the allowability of each user's potential access to an object. That is, access control is
implemented for a specific user and a specific object.
● Share by capabilities . An extension of limited access sharing, this form of protection allows
dynamic creation of sharing rights for objects. The degree of sharing can depend on the
owner or the subject, on the context of the computation, or on the object itself.
● Limit use of an object . This form of protection limits not just the access to an object but the
use made of that object after it has been accessed. For example, a user may be allowed to
view a sensitive document, but not to print a copy of it. More powerfully, a user may be
allowed access to data in a database to derive statistical summaries (such as average salary
at a particular grade level), but not to determine specific data values (salaries of individuals).
These modes of sharing are arranged in increasing order of difficulty to implement, but also in
increasing order of fineness of protection they provide.
A given operating system may provide different levels of protection for different objects, users, or
situations.

Memory and Address Protection

● Preventing one program from affecting the memory of other programs.
● Protection can be built into the hardware mechanisms that control efficient use of memory,
so that solid protection can be provided at essentially no additional cost.

Fence
● The simplest form of memory protection was introduced in single-user operating systems,
to prevent a faulty user program from destroying part of the resident portion of the operating
system. As its name implies, a fence is a method to confine users to one side of a boundary.
● Another implementation used a hardware register, often called a fence register , containing
the address of the end of the operating system. In contrast to a fixed fence, in this scheme
the location of the fence could be changed. Each time a user program generated an address
for data modification, the address was automatically compared with the fence address. If
the address was greater than the fence address (that is, in the user area), the instruction was
executed; if it was less than the fence address (that is, in the operating system area), an error
condition was raised.

Relocation
If the operating system can be assumed to be of a fixed size , programmers can write their code
assuming that the program begins at a constant address. This feature of the operating system
makes it easy to determine the address of any object in the program.
It also makes it essentially impossible to change the starting address if, for example, a new version of
the operating system is larger or smaller than the old. If the size of the operating system is allowed to
change, then programs must be written in a way that does not depend on placement at a specific
location in memory.

Base/Bounds Registers
● With two or more users, none can know in advance where a program will be loaded for
execution.
● The relocation register solves the problem by providing a base or starting address.
● All addresses inside a program are offsets from that base address.
● A variable fence register is generally known as a base register .
Segmentation
Segmentation , involves the dividing a program into separate pieces. Each piece has a logical unity,
exhibiting a relationship among all of its code or data values.
Segmentation allows a program to be divided into many pieces having different access rights.
This hiding of addresses has three advantages for the operating system.
1. The operating system can place any segment at any location or move any segment to any
location, even after the program begins to execute. Because the operating system translates
all address references by a segment address table, the operating system needs only to update
the address in that one table when a segment is moved.
2. A segment can be removed from main memory (and stored on an auxiliary device) if it is not
being used currently.
3. Every address reference passes through the operating system, so there is an opportunity to
check each one for protection.
Segmentation offers these protective benefits.
● Each address reference is checked for protection.
● Many different classes of data items can be assigned different levels of protection.
● Two or more users can share access to a segment, with potentially different access rights.
● A user cannot generate an address or access to an unpermitted segment.

Control of Access to General Objects

Protecting memory is a specific case of the more general problem of protecting objects. As
multiprogramming has developed, the numbers and kinds of objects shared have also increased.
Examples of the kinds of objects for which protection is desirable:
1. memory
2. a file or data set on an auxiliary storage device
3. an executing program in memory
4. a directory of files
5. a hardware device
6. a data structure, such as a stack
7. a table of the operating system
8. instructions, especially privileged instructions
9. passwords and the user authentication mechanism
10. the protection mechanism itself
The memory protection mechanism can be fairly simple because every memory access is guaranteed
to go through certain points in the hardware. With more general objects, the number of points of
access may be larger, a central authority through which all accesses pass may be lacking, and the
kind of access may not simply be limited to read, write, or execute.
There are several complementary goals in protecting objects.
● Check every access . We may want to revoke a user's privilege to access an object. If we
have previously authorized the user to access the object, we do not necessarily intend that
the user should retain indefinite access to the object.
● Enforce least privilege . The principle of least privilege states that a subject should have
access to the smallest number of objects necessary to perform some task. Even if extra
information would be useless or harmless if the subject were to have access, the subject
should not have that additional access.
● Verify acceptable usage . Ability to access is a yes-or-no decision. But it is equally important
to check that the activity to be performed on an object is appropriate.
Directory
● One simple way to protect an object is to use a mechanism that works like a file directory.
● Every file has a unique owner who possesses "control" access rights (including the rights to
declare who has what access) and to revoke access to any person at any time.
● Each user has a file directory, which lists all the files to which that user has access.
Several difficulties can arise.
● The list becomes too large if many shared objects, such as libraries of subprograms or a
common table of users, are accessible to all users.
● The directory of each user must have one entry for each such shared object, even if the user
has no intention of accessing the object.
● Deletion must be reflected in all directories.

4.
LECTURE 8: DATABASE SECURITY
A database is a collection of data and a set of rules that organize the data by specifying certain
relationships among the data.
A database administrator is a person who defines the rules that organize the data and also controls who
should have access to what parts of the data.
The user interacts with the database through a program called a database manager or a database
management system (DBMS), informally known as a front end.

Advantages of Using Databases

A database is a single collection of data, stored and maintained at one central location, to which many
people have access as needed.
The actual implementation may involve some other physical storage arrangement or access. The essence
of a good database is that the users are unaware of the physical arrangements; the unified logical
arrangement is all they see. A database offers many advantages over a simple file system:
● shared access, so that many users can use one common, centralized set of data
● minimal redundancy, so that individual users do not have to collect and maintain their own sets of
data
● data consistency, so that a change to a data value affects all users of the data value
● data integrity, so that data values are protected against accidental or malicious undesirable
changes
● controlled access, so that only authorized users are allowed to view or to modify data values
A DBMS is designed to provide these advantages efficiently. However, as often happens, the objectives can
conflict with each other.
This clash is not surprising, because measures taken to enforce security often increase the computing
system's size or complexity.
Security interests may also reduce the system's ability to provide data to users by limiting certain queries
that would otherwise seem innocuous .

Security Requirements
The following is a list of requirements for database security.
● Physical database integrity. The data of a database are immune to physical problems, such as
power failures, and someone can reconstruct the database if it is destroyed through a catastrophe.
● Logical database integrity. The structure of the database is preserved. With logical integrity of a
database, a modification to the value of one field does not affect other fields, for example.
● Element integrity. The data contained in each element are accurate.
● Auditability. It is possible to track who or what has accessed (or modified) the elements in the
database.
● Access control. A user is allowed to access only authorized data, and different users can be
restricted to different modes of access (such as read or write).
● User authentication. Every user is positively identified, both for the audit trail and for permission to
access certain data.
● Availability. Users can access the database in general and all the data for which they are
authorized.

Integrity of the Database

If a database is to serve as a central repository of data, users must be able to trust the accuracy of the data
values.
● This condition implies that the database administrator must be assured that updates are
performed only by authorized individuals.
● It also implies that the data must be protected from corruption, either by an outside illegal program
 action or by an outside force such as fire or a power failure.
Two situations can affect the integrity of a database:
1. when the whole database is damaged
2. when individual data items are unreadable.

It is important to be able to reconstruct the database at the point of a failure. For instance, when the power
fails suddenly, a bank's clients may be in the middle of making transactions or students may be in the midst
of registering online for their classes.
The DBMS must maintain a log of transactions. In the event of a system failure, the system can obtain
accurate account balances by reverting to a backup copy of the database and reprocessing all later
transactions from the log.

Element Integrity
The integrity of database elements is their correctness or accuracy. Authorized users are responsible for
entering correct data in databases. However, users and programs make mistakes collecting data,
computing results, and entering values.
DBMSs sometimes take special action to help catch errors as they are made and to correct errors after they
are inserted.
This corrective action can be taken in three ways.
1. The DBMS can apply field checks, activities that test for appropriate values in a position. A field
might be required to be numeric, an uppercase letter, or one of a set of acceptable characters. The
check ensures that a value falls within specified bounds or is not greater than the sum of the values
in two other fields. These checks prevent simple errors as the data are entered.
2. Provided by access control. Data files may contain data from several sources, and redundant data
may be stored in several different places.
3. Means of providing database integrity is maintaining a change log for the database. A change log
lists every change made to the database; it contains both original and modified values. Using this
log, a database administrator can undo any changes that were made in error.

Auditability
For some applications it may be desirable to generate an audit record of all access (read or write) to a
database.
● Such a record can help to maintain the database's integrity, or at least to discover after the fact
who had affected what values and when.
● Users can access protected data incrementally; that is, no single access reveals protected data,
but a set of sequential accesses viewed together reveals the data, much like discovering the clues in
a detective novel . In this case, an audit trail can identify which clues a user has already been given,
as a guide to whether to tell the user more.
● it is possible for a record to be accessed but not reported to a user, as when the user performs a
select operation.

Access Control
Databases are often separated logically by user access privileges.
Limited access is both a responsibility and a benefit of this centralization.
The database administrator specifies who should be allowed access to which data, at the view, relation,
field, record, or even element level.
The DBMS must enforce this policy, granting access to all specified data or no access where prohibited .
Restricting inference may mean prohibiting certain paths to prevent possible inferences. Restricting access
to control inference also limits queries from users who do not intend unauthorized access to values.
Moreover, attempts to check requested accesses for possible unacceptable inferences may actually
degrade the DBMS's performance.

User Authentication
The DBMS can require rigorous user authentication. A DBMS might insist that a user pass both specific
password and time-of-day checks. This authentication supplements the authentication performed by the
operating system.

Availability
A DBMS has aspects of both a program and a system. It is a program that uses other hardware and
software resources, yet to many users it is the only application run. Users often take the DBMS for granted,
employing it as an essential tool with which to perform particular tasks .
Integrity/Confidentiality/Availability
The three aspects of computer security ”integrity, confidentiality, and availability ”clearly relate to database
management systems.
● integrity is a major concern in the design of database management systems.
● Confidentiality is a key issue with databases because of the inference problem, whereby a user can
access sensitive data indirectly. Inference and access control are covered later in this chapter.
● Availability is important because of the shared access motivation underlying database
development. However, availability conflicts with confidentiality. The last sections of the chapter
address availability in an environment in which confidentiality is also important.

Reliability and Integrity

Database concerns about reliability and integrity can be viewed from three dimensions:
● Database integrity: concern that the database as a whole is protected against damage, as from
the failure of a disk drive or the corruption of the master database index. These concerns are
addressed by operating system integrity controls and recovery procedures.
● Element integrity: concern that the value of a specific data element is written or changed only by
authorized users. Proper access controls protect a database from corruption by unauthorized
users.
● Element accuracy: concern that only correct values are written into the elements of a database.
Checks on the values of elements can help to prevent insertion of improper values. Also, constraint
conditions can detect incorrect values.

Several factors can make data sensitive.

● Inherently sensitive. The value itself may be so revealing that it is sensitive. Examples are the
locations of defensive missiles or the median income of barbers in a town with only one barber.
● From a sensitive source. The source of the data may indicate a need for confidentiality. An
example is information from an informer whose identity would be compromised if the information
were disclosed.
● Declared sensitive. The database administrator or the owner of the data may have declared the
data to be sensitive. Examples are classified military data or the name of the anonymous donor of a
piece of art.
● Part of a sensitive attribute or a sensitive record. In a database, an entire attribute or record may
be classified as sensitive. Examples are the salary attribute of a personnel database or a record
describing a secret space mission.
● Sensitive in relation to previously disclosed information. Some data become sensitive in the
presence of other data. For example, the longitude coordinate of a secret gold mine reveals little, but
the longitude coordinate in conjunction with the latitude coordinate pinpoints the mine.
All of these factors must be considered to determine the sensitivity of the data.
Multilevel Databases
So far, we have considered data in only two categories: either sensitive or nonsensitive.
Sensitivity is determined not just by attribute but also in ways that we investigate below.

Three characteristics of database security emerge.

● The security of a single element may be different from the security of other elements of the same
record or from other values of the same attribute. This situation implies that security should be
implemented for each individual element.
● Two levels ”sensitive and nonsensitive ”are inadequate to represent some security situations.
Several grades of security may be needed. These grades may represent ranges of allowable
knowledge, which may overlap. Typically, the security grades form a lattice.
● The security of an aggregate ”a sum, a count, or a group of values in a database ”may be different
from the security of the individual elements. The security of the aggregate may be higher or lower
than that of the individual elements.
Proposals f or Multilevel Security
Sensitivity Lock
A sensitivity lock is a combination of a unique identifier (such as the record number) and the sensitivity level.
Because the identifier is unique, each lock relates to one particular record. Many different elements will have
the same sensitivity level. A malicious subject should not be able to identify two elements having identical
sensitivity levels or identical data values just by looking at the sensitivity level portion of the lock. Because of
the encryption, the lock's contents, especially the sensitivity level, are concealed from plain view. Thus, the
lock is associated with one specific record, and it protects the secrecy of the sensitivity level of that record.

Separation
Separation is necessary to limit access. These mechanisms can help to implement multilevel security for
databases.

Partitioning
The database is divided into separate databases, each at its own level of sensitivity. This approach is similar
to maintaining separate files in separate file cabinets .
This control destroys a basic advantage of databases: elimination of redundancy and improved accuracy
through having only one field to update.
It does not address the problem of a high-level user who needs access some low-level data combined with
high-level data.
Nevertheless, because of the difficulty of establishing, maintaining, and using multilevel databases, many
users with data of mixed sensitivities handle their data by using separate, isolated databases.

Encryption
If sensitive data are encrypted, a user who accidentally receives them cannot interpret the data. Thus, each
level of sensitive data can be stored in a table encrypted under a key unique to the level of sensitivity.

Integrity Lock
The lock is a way to provide both integrity and limited access for a database.

Summary of Database Security

This lecture has addressed three aspects of security for database management systems: confidentiality
and integrity problems specific to database applications, the inference problem for statistical databases,
and problems of including users and data of different sensitivity levels in one database.
Both confidentiality and integrity are important to users of databases.
Confidentiality can be broken by indirect disclosure of a negative result or of the bounds of a value. Integrity
of the entire database is a responsibility of the DBMS software; this problem is handled by most major
commercial systems through backups , redundancy, change logs, and two-step updates. Integrity of an
individual element of the database is the responsibility of the database administrator, who defines the
access policy.

Multilevel secure databases must provide both confidentiality and integrity. Separation can be implemented
physically, logically, or cryptographically .
The five approaches to assuring confidentiality in multilevel secure databases:
● integrity lock,
● trusted front end,
● commutative filters,
● distributed databases, and
● restricted views.
But the analysis of the problems and the derivation of techniques are typical of how we analyze security
needs in any software application.

Exercise
Discuss emerging trends in Information security.